QNAP VioStor NVR vulnerability actively exploited by malware botnet

A Mirai-based botnet named 'InfectedSlurs' is exploiting a remote code execution (RCE) vulnerability in QNAP VioStor NVR (Network Video Recorder) devices to hijack and make them part of its DDoS (distributed denial of service) swarm.

The botnet was discovered by Akamai's Security Intelligence Response Team (SIRT) in October 2023, who observed the exploitation of two zero-day vulnerabilities in routers and NVR devices, likely starting in late 2022.

At the time, and due to the vendors not having released patches, Akamai opted not to disclose any information about the flaws that InfectedSlurs was exploiting.

As the security updates or information about the two zero-days have been made available, Akamai published two follow-up reports (1, 2) to plug the gaps left in the original report from late November.

The first zero-day flaw exploited by InfectedSlurs is tracked as CVE-2023-49897 and impacts FXC AE1021 and AE1021PE WiFi routers.

The vendor released a security update on December 6, 2023, with firmware version 2.0.10, and recommended that users perform a factory reset and change the default password after its application.

The second zero-day vulnerability in the botnet's attacks is CVE-2023-47565, a high-severity OS command injection impacting QNAP VioStor NVR models running QVR firmware 4.x.

QNAP published an advisory on December 7, 2023, explaining that the previously unknown issue was fixed in QVR firmware 5.x and later, which is available to all actively supported models.

Since version 5.0.0 was released nearly a decade ago, it is deduced that the Infected Slurs botnet targets legacy VioStor NVR models that never updated their firmware after initial setup.

The vendor recommends the following actions on vulnerable NVR devices:

Login to QVR as administrator, head to 'Control Panel → System Settings → Firmware Update,' select the 'Firmware Update' tab, and click 'Browse' to locate the right version for your specific model.

Finally, Click 'Update System' and wait for QVR to install the update.

Additionally, it recommends changing user passwords on QVR through 'Control Panel → Privilege → Users → Change Password,' enter a new strong password, and click 'Apply.'

A VioStor NVR model that has reached EOL (end-of-life) may not have an available update that includes firmware 5.x or later.

These devices will not receive a security update, so the only solution is to replace them with newer, actively supported models.